Rootkit-Based Malware Wrecks Havoc in USA

Bitdefender’s IT experts have discovered a new malware threat which infects Windows 10 systems and installs inside OS and outpours the victims with invisible advertisements, which causes significant financial losses to businesses by displaying ads to imaginary viewers.


Where Did Zacinlo Come From?

The actors behind Zacinlo have been active for the past six years. It is considered that the group behind Zacinlo optimized it for Windows 10 since 2016. There were massive spurts in the growth of Zacinloinfections in the years 2014 and 2015. The adware module wrecked havoc in 2017. Most of the affected users are in the US, and they use Windows 10 systems. 9 out of 10 affected users run windows 10.

Two components have made Zacinlo more dangerous than ever. First and foremost, it has the capacity of surviving the most traditional safeguards against malicious software. The adware can upload the configuration details of the system to a remote C&C server for review. The server will then ask Zacinlo to disable antivirus and anti-malware software from the system.

Moreover, Zacinlo contains a rootkit. The rootkit is incredibly hard to detect as it runs at the lowest level of Windows.

Zacinlo contains specific notably threatening privacy intrusion characteristics

Apart from the rootkit, it also has a feature which for executing man-in0the-middle or MitM attacks to stop traffic including HTTPS traffic. Even though this module can be used to obstruct financial sessions and tamper with online payment, the malware chiefly uses the tool to inject advertisements into pages.

Zacinlo also has a feature which identifies and kills any competing adware. According to Bitdefender, this feature is not very sophisticated but it is absent in large most of the adware variants.

In addition to killing other adware, Zacinlo has essential adware features which collect local system data, forward it to a remote C&C server, and after that get commands from it. With the help of such controls, the adware attacker can uninstall and delete the local services he considers risky, for example, the local services pertaining to security software

The most frightening and threatening module of Zacinlo is “screenshot.” With this tool, the malware is capable of taking screenshots of the infected computer’s screen. This module is quite similar to the one discovered in Remote Access Trojans.

It Could Mess with Online Payments

However, this adware can conduct more evil activities. It can block communication which is encrypted and can see the online payments. Moreover, it can redirect web browser requests and will load spoof web pages which appear genuine.

But the adware is capable of more lousy business. It’s also capable of seizing encrypted messages, which it can use to see and fiddle with the victim’s online payments.

What to Do?

It is not easy to remove a Zacinlo rootkit. However, according to a Bitdefender researcher, the best possible to way to remove its infection would be by using a robust antivirus rescue disk which utilizes either a USB stick or an optical disk to boot the infected device into a unique form of Linux which can occur after that scan the Windows drive without running it. Several antivirus vendors provide rescue disk images without any cost. Bitdefender has also given steps on how to create a rescue image disk.

Bottom Line

This finding should work as a wake-up call: Do not install any suspicious software. Before you download VPN software, do your investigation and make sure that it is one you can trust.

Leave a Reply